Google’s Real Secret Spy Program? Secure FTP

Photoillustration: Kevin Poulsen/Wired

Google does not participate in any government program involving a lockbox or other equipment installed at its facilities to transfer court-ordered data to the government, a company spokesman says, refuting with some finality one of the lingering theories about the NSA’s PRISM program.

Instead the company transmits FISA information the old fashioned way: by hand, or over secure FTP.

“When required to comply with these requests, we deliver that information to the US government — generally through secure FTP transfers and in person,” Google spokesman Chris Gaither told Wired. “The US government does not have the ability to pull that data directly from our servers or network.”

Secure FTP is a standard utility on Unix and Linux system for transferring files over an encrypted channel.

The unequivocal statement is meant to set the record straight on information reported and suggested in stories about the PRISM program, which described a system whereby nine internet companies, including Google, Yahoo and Facebook had special equipment installed in their facilities that allowed NSA analysts sitting at their desks to query the data directly.

But Gaither asserted that the company had no such equipment installed.

“We refuse to participate in any program — for national security or other reasons — that requires us to provide governments with access to our systems or to install their equipment on our networks,” he said.

Asked if Google had had discussions with the Feds in the past about creating or installing a system for obtaining court-ordered data more easily, he replied, “We have been asked to do things in the past and we have declined.”

Facebook and Yahoo declined to clarify what systems they use to transmit court-ordered data to the government.

Stories about PRISM, published by the Guardian and Washington Post, were based on a 41-slide PowerPoint presentation that former NSA system administrator Edward Snowden leaked to them. Initially, the papers reported that PRISM was a bulk-collection program that allowed the National Security Agency to tap directly into the servers of the nine companies to extract audio and video chats, photographs, e-mails, documents, and connection logs of foreign targets.

The CEOs of Google and Facebook denied that the government had a backdoor into their systems or that they provided the government with bulk data. Other companies identified as being part of the program denied participating in it as well.

In the wake of denials, the Postrevised its story to say that instead of direct access to servers, the companies had installed special systems that stored data that NSA analysts could directly access from their desktops at Ft. Meade and elsewhere.

“[C]ollection managers [can send] content tasking instructions directly to equipment installed at company-controlled locations,” rather than directly to company servers, the Post wrote.

The PRISM program was created after much negotiation with federal authorities, the paper said, who had pressed the companies to provide them with a way to obtain easier access to data they were entitled to under court orders granted by the secret FISA court.

“From their workstations anywhere in the world, government employees cleared for PRISM access may ‘task’ the system and receive results from an Internet company without further interaction with the company’s staff,” the paper wrote.

Microsoft was the first to acquiesce to the program in 2007, and Google followed in 2009 according to the slides the paper obtained.

The New York Times then published a story describing the special equipment installed at company facilities as a kind of lockbox into which data was placed for the NSA to examine. The Times said that the Feds had discussed a plan with Google and Facebook to build a separate, secure portal, like a secure reading room for classified information, “in some instances on company servers.”

“Through these online rooms, the government would request data, companies would deposit it and the government would retrieve it, people briefed on the discussions said,” the Times reported.

But Gaither says all accounts are wrong with regard to Google.

He further added that each year, only a tiny fraction of its users are subject to government requests for data.

“If we could publish those numbers openly — as we are asking — they would show that our compliance with these national security requests falls far short of the claims being made,” he said.

Google made a plea to the Justice Department to do just that today. It published a letter sent to Attorney General Eric Holder and FBI Director Robert Mueller seeking permission to publish information about the number of requests for data it gets under the Foreign Intelligence Surveillance Act each year.

The company made the request to help address public concerns that Google might be providing unfettered access to user data or providing the government with bulk data.

“[G]overnment nondisclosure obligations regarding the number of FISA national security requests that Google receives, as well as the number of accounts covered by those requests, fuel that speculation,” Google’s Chief Legal Officer David Drummond in the letter, published to Google’s blog.

“We therefore ask you to help make it possible for Google to publish in our Transparency Report aggregate numbers of national security requests, including FISA disclosures—in terms of both the number we receive and their scope,” he continued. “Google’s numbers would clearly show that our compliance with these requests falls far short of the claims being made. Google has nothing to hide.”

For the first time this year Google began publishing information about the National Security Letters it receives each year after negotiating with the government for permission to disclose them. The NSL figures Google provides are broadstroke numbers in the form of a range, such as 0-999 requests, for the number of court-authorized requests it gets as well as a similar broad range for the number of user accounts affected by the requests.

Gaither told Wired that the company wants to do something similar for FISA requests, which Google and other recipients of such requests are barred from discussing.

“We would welcome the opportunity to provide a transparency report that allows us to share with those who use Facebook around the world a complete picture of the government requests we receive, and how we respond,” Facebook General Counsel Ted Ullyot wrote. “We urge the United States government to help make that possible by allowing companies to include information about the size and scope of national security requests we receive, and look forward to publishing a report that includes that information.”

Here’s The Thing With Ad Blockers

We get it: Ads aren’t what you’re here for. But ads help us keep the lights on. So, add us to your ad blocker’s whitelist or pay $1 per week for an ad-free version of WIRED. Either way, you are supporting our journalism. We’d really appreciate it.